Cracking Multiple wpa2 hashes
#1
Hi, I’d like to know if I can crack multiple wpa2 hashes at the same time with a single command, like this:

Code:
hashcat -m 22000 hash.hc22000 -1 ?l?d?u? -a 3 ?1?1?1?1?1?1?1?1?1?1

The file after a conversion

Code:
version (pcapng).........................: 1.0
operating system.........................: Linux 5.16.0-kali7-amd64
application..............................: hcxdumptool 6.2.6
interface name...........................: wlan0
interface vendor.........................: 002129
openSSL version..........................: 1.1
weak candidate...........................: 12345678
MAC ACCESS POINT.........................: 00cb009b656b (incremented on every new client)
MAC CLIENT...............................: b025aa77f3d7
REPLAYCOUNT..............................: 63476
ANONCE...................................: 4586aa9d79a8853862430bd80f75c1f2487d22a00b90820e42645af48bf0bcd2
SNONCE...................................: f677282d6f75b9fd78fe0928ce87d18679f21b9b4990c96451ccbce9eacce305
timestamp minimum (GMT)..................: 07.08.2022 21:11:46
timestamp maximum (GMT)..................: 07.08.2022 22:16:34
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianess (capture system)...............: little endian
packets inside...........................: 19233
ESSID (total unique).....................: 73
BEACON (total)...........................: 58
BEACON (detected on 2.4GHz channel)......: 1 2 3 4 5 6 7 8 9 10 11
BEACON (SSID unset)......................: 6
ACTION (total)...........................: 17
ACTION (containing ESSID)................: 1
PROBEREQUEST.............................: 41
PROBEREQUEST (directed)..................: 4
PROBERESPONSE (total)....................: 36
AUTHENTICATION (total)...................: 71
AUTHENTICATION (OPEN SYSTEM).............: 70
AUTHENTICATION (unknown).................: 1
ASSOCIATIONREQUEST (total)...............: 16
ASSOCIATIONREQUEST (PSK).................: 13
REASSOCIATIONREQUEST (total).............: 7
REASSOCIATIONREQUEST (PSK)...............: 7
EAPOL messages (total)...................: 18918
EAPOL RSN messages.......................: 18918
EAPOLTIME gap (measured maximum usec)....: 87925
EAPOL ANONCE error corrections (NC)......: working
REPLAYCOUNT gap (suggested NC)...........: 7
EAPOL M1 messages (total)................: 18673
EAPOL M2 messages (total)................: 172
EAPOL M3 messages (total)................: 60
EAPOL M4 messages (total)................: 13
EAPOL pairs (total)......................: 1038
EAPOL pairs (best).......................: 18
EAPOL ROGUE pairs........................: 15
EAPOL pairs written to combi hash file...: 18 (RC checked)
EAPOL M12E2 (challenge)..................: 15
EAPOL M32E2 (authorized).................: 3
PMKID (useless)..........................: 859
PMKID (total)............................: 2
PMKID (best).............................: 2
PMKID ROGUE..............................: 1
PMKID written to combi hash file.........: 2
malformed packets (total)................: 3
BEACON error (total malformed packets)...: 3

So do I have to edit the hc22000 file to isolate the mac I’m trying to crack each time I use it ?

Would that be a good approach or it would take longer to recover the password? If it takes the same amount of time I could try to recover the password for the whole file, instead of just one single MAC address.

I would appreciate any input
Reply
#2
Code:
ESSID (total unique).....................: 73


This would state there was 73 different routers detected however it doesn't determine how many devices you received a PMKID or handshake with. So if there is a specific device you're wanting to attack you'll have to isolate it from the capture and place it in its own text file. This can all be done by simply opening the hc2200 file with your favourite text editor. 

When you attack multicapture file you'll see that the attack will list the amount of digest and salts. Digest relate to the device which properly submitted the hash and the salt are the total different hashes. So you could have 100 digest and 1 salt and that would mean finding the password for 1 digest would reveal for the other 99 digest.

CUDA API (CUDA 11.7)
====================
* Device #1: NVIDIA GeForce RTX 3090, 23336/24575 MB, 82MCU
* Device #2: NVIDIA GeForce RTX 3090, 23336/24575 MB, 82MCU
* Device #3: NVIDIA GeForce RTX 3090, 23336/24575 MB, 82MCU
* Device #4: NVIDIA GeForce RTX 3090, 23336/24575 MB, 82MCU

Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63
Hashes: 36 digests; 36 unique digests, 9 unique salts

So if you have several salts that would become your ratio for the time of the attack. So if you have 100kh/s and 1 salt takes 100 seconds, adding a 2nd salt would increase your time to 200 seconds and so forth. 
Reply
#3
That was the best explanation! Thank you so much..!

And one last thing, is there a way to check if the hash has a valid handshake? I’m guessing that If I’m able to isolate the MAC address of that particular router then it should work. (I’m guessing that because I was trying to attack a particular router but I couldn’t find the MAC address in the hc22000 file)

Thanks again, I really appreciate your help.
Reply
#4
Anything parsed by hcxpcapngtool is validated in the process. If the packets does not contain the right data it will void it as a hash and you will not be able to use it.
Reply
#5
"I’m guessing that because I was trying to attack a particular router but I couldn’t find the MAC address in the hc22000 file"
That is always the case if hcxdumptool successfully attacked a CLIENT. In that case, mostly a random generated MAC_AP is used by hcxdumptool. If that happened just look for the ESSID and the MAC_CLIENT.
Reply